![[personal profile]](https://www.dreamwidth.org/img/silk/identity/user.png){kind=small}
the philosophy of passwords
Apr. 10th, 2008 07:13 amI had been thinking, with some annoyance, about passwords as I logged in this morning, and there was a corporate security newsletter my inbox. It had an informative article on "the top ten passwords that people use" - starting, of course, with "password1". The article was well written, and seemed to be genuinely interested in the topic. But it espoused complex passwords, different passwords for all accounts, and frequent, irregular change. I wrote the following "letter to the editor" to share my thoughts. They probably won't like them
I've been working security systems and teaching people to choose passwords for over 20 years. I'm a pretty savvy user. My favorites are "2band&2b" (to be and not to be) and "tea4two" - although I haven't used these personally in a lot of years. the second one, a "smart" password in the 80s now no longer meets the minimum requirements. It's those minimum requirements that I would like to address.
While I do understand that the majority of people use overly simplistic passwords, I firmly believe that forcing frequent password change is a bad solution to the problem. Why? Because it causes people to write down their passwords! Our company now requires me to change my VPN password (which used to be a memorized but meaningless string of eight characters, numbers, and alphas) every few weeks. What does that mean? It means that I use a simple word and number progression, and that I write down the latest password and keep it under my keyboard. Instead of changing my passwords every three or four years and having just a half dozen or so - now every site I use requires me not only to use a special format but to change the password at frequent but irregular intervals. The result? I keep a written password list. Something that I have never done in nearly thirty years of working with computer systems!
Learning theory tells us that most humans can remember a string of seven things. That's why phone numbers are seven digits long. When you get over that you need the visual reinforcement of a list. I now, by system requirement, have different numbers for my VPN, my single-line-signon, my laptop and desktop computers, my bank account passwords (three banks), and my home email accounts (again three). Those are just the ones that require constant and irregular change! Most of the several dozen or so other accounts that I use have a carefully-chosen, standard, nine-character, non-word password that includes caps, special characters, and numerics. I challenge anyone to hack it. The thing is, I -remember- that password. The other accounts? There are too many of them and they change too often. So I have a password list, and I carry it with me.
And a written password list is a worse security breach than a simplistic password or a password that goes a year without changing.
P.S. - Just in case any of you were planning on mugging me - I don't really keep my password list under my keyboard or in my purse. I'm not QUITE that stupid or that angry.
I've been working security systems and teaching people to choose passwords for over 20 years. I'm a pretty savvy user. My favorites are "2band&2b" (to be and not to be) and "tea4two" - although I haven't used these personally in a lot of years. the second one, a "smart" password in the 80s now no longer meets the minimum requirements. It's those minimum requirements that I would like to address.
While I do understand that the majority of people use overly simplistic passwords, I firmly believe that forcing frequent password change is a bad solution to the problem. Why? Because it causes people to write down their passwords! Our company now requires me to change my VPN password (which used to be a memorized but meaningless string of eight characters, numbers, and alphas) every few weeks. What does that mean? It means that I use a simple word and number progression, and that I write down the latest password and keep it under my keyboard. Instead of changing my passwords every three or four years and having just a half dozen or so - now every site I use requires me not only to use a special format but to change the password at frequent but irregular intervals. The result? I keep a written password list. Something that I have never done in nearly thirty years of working with computer systems!
Learning theory tells us that most humans can remember a string of seven things. That's why phone numbers are seven digits long. When you get over that you need the visual reinforcement of a list. I now, by system requirement, have different numbers for my VPN, my single-line-signon, my laptop and desktop computers, my bank account passwords (three banks), and my home email accounts (again three). Those are just the ones that require constant and irregular change! Most of the several dozen or so other accounts that I use have a carefully-chosen, standard, nine-character, non-word password that includes caps, special characters, and numerics. I challenge anyone to hack it. The thing is, I -remember- that password. The other accounts? There are too many of them and they change too often. So I have a password list, and I carry it with me.
And a written password list is a worse security breach than a simplistic password or a password that goes a year without changing.
P.S. - Just in case any of you were planning on mugging me - I don't really keep my password list under my keyboard or in my purse. I'm not QUITE that stupid or that angry.
